• Nie Znaleziono Wyników

Assessing human-system resilience potential throughout the development lifecycle*

N/A
N/A
Info
Pobierz
Protected

Academic year: 2021

Share "Assessing human-system resilience potential throughout the development lifecycle*"

Copied!
6
0
0

Ładowanie.... (Zobacz pełny tekst teraz)

Pobierz teraz ( 6 Stron )

Pełen tekst

(1)

ASSESSING HUMAN-SYSTEM RESILIENCE POTENTIAL THROUGHOUT THE DEVELOPMENT LIFECYCLE*

Amy L. Alexander

MIT Lincoln Laboratory (MIT LL) Lexington, MA USA

Dan Herschler

Federal Aviation Administration (FAA) Washington DC, USA

We worked with subject matter experts to create a human-system resilience checklist that can be utilized during Independent Operational Assessments (IOAs) of air traffic control systems as part of the system acquisition process. The

checklist focuses on four key areas for evaluating human-system resilience characteristics: procedures, system use, workload, and training. A resilience scoring method indicates areas where a human-machine system under

consideration does or does not have resilient characteristics. Overall resilience scores can be compared among design alternatives, or across different points in system development for a particular design. The ultimate intent is to provide guidance and metrics that will enable the FAA to address human-system

resilience aspects in the implementation of NextGen capabilities in the National Airspace System (NAS). The goal of increased resilience is to reduce the risks and potential impacts of disruptive events, and to safeguard the efficiency, safety, and cost effectiveness of NextGen NAS operations.

The Federal Aviation Administration’s NextGen program uses many complex systems and technologies to increase the efficiency, safety, and cost effectiveness of the National

Airspace System. Although NextGen systems are designed to achieve defined system availability requirements, system degradation and failure are still a very real, if remote, possibility.

Designing and assessing systems with resilience to failures in mind can reduce the risks or potential impacts of degradations. Looking to the literature, there are a variety of definitions of resilience (see Reason, 2000; Sheridan, 2008); however, a number of common characteristics emerge relating to anticipating adverse effects, withstanding unexpected conditions, maintaining control, sustaining operations, and recovering quickly when something goes wrong. Resilience is defined by the FAA as maintaining safety and a minimum level of service in reaction to system failures or degradations (FAA, 2016). The underlying goal is to prevent or mitigate impacts on air traffic operations.

Previous work (e.g., Hollnagel, Woods, & Leveson, 2006) has identified characteristics of resilient organizations and human-machine systems, and initial experimental methods for assessing resilience potential have been developed. However, these methods primarily apply to existing or well-prototyped systems. In an effort to assess the resilience potential of an

* DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited.

This material is based upon work supported by the Federal Aviation Administration under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Federal Aviation Administration.

(2)

operational capability earlier in the system development lifecycle, we worked with subject matter experts to create a human-system resilience checklist that can be utilized during Independent Operational Assessments (IOAs) of FAA air traffic control systems as part of the system acquisition process. The checklist focused on four key areas, identified through collaboration with subject matter experts in conjunction with review of the resilience literature, that should be considered when evaluating human-system resilience characteristics: procedures, system use, workload, and training. A resilience scoring method was developed to provide an indication of areas where a system under consideration does or does not have resilient characteristics. The overall resilience score can then be compared to design alternatives, or across different points in the system development lifecycle for that particular design and operational context. The checklist and scoring system has yet to be validated, but upcoming IOA testing is anticipated to provide insight and feedback about the utility of this approach for assessing human-system resilience.

Method

The first step in creating the human-system resilience checklist was to identify resilient characteristics of NextGen systems, including ways to build, enhance, and assess the resilience of complex human-machine systems. MIT LL conducted a literature review on characteristics of resilient systems, particularly focused on human-automation systems (Yenson et al., 2015). System reliability, system predictability, and operator engagement emerged as three key areas for examining resilience potential. The identified characteristics of resilient automation systems were then translated into a list of phrases (e.g., a resilient system is able to handle “unknown unknown” situations). These phrases formed the basis of a resilience job aid that was originally developed in reference to the safety risk management (SRM) process, without a specific target application or end user group. An excerpt from this job aid is presented in Figure 1. The job aid specifically pointed out questions to ask and actions to take, provided detailed explanations and rationales, references to SRM documentation, and included a basic scoring method for assessing resilience potential.

(3)

Various discussions regarding resilience with the FAA led us to the Independent Safety Assessment Team (AJI-321) of the FAA Air Traffic Organization’s (ATO) Safety and Technical Training office, which is responsible for conducting independent operational assessments (IOAs) of designated NextGen systems. IOAs verify new FAA systems or solutions are suitable,

operationally effective, and safe prior to deployment in the NAS. Specifically:

• IOAs are independent from the FAA office responsible for deploying the new system/capability.

• IOAs are conducted at operational key sites during live NAS operations.

• IOAs are major structured assessments with the purpose of identifying safety hazards and operational concerns with new systems/capabilities.

AJI-321 agreed for IOA to be a focus area for our work, and we coordinated across seven working group meetings to review the original resilience job aid and customize it for use during IOAs. We determined that a more streamlined checklist would be most appropriate for the IOA context. Working group meetings then focused on carefully reviewing the overall checklist content, categorizing questions in a meaningful way, and revising the wording of the questions and their associated responses. Usability and usefulness of the checklist as well as a resilience scoring system were also discussed as our checklist development progressed.

Checklist

The final checklist contained questions broken down into four key categories for evaluating human-system resilience characteristics: procedures, system use, workload, and training. Example questions from each checklist section are presented in Figures 2-5. Questions were presented with up to four response options, each having a point value associated with it as well as a color-coded indicator of goodness (red: not indicative of a resilient system, yellow: resiliency needs improvement; green: indicative of a resilient system). The evaluator was instructed to select the most appropriate response for each question, and there were comment fields for any additional notes that would be helpful to capture.

(4)

Figure 3. Example System Use Checklist Questions

Figure 4. Example Workload Checklist Questions

(5)

Checklist Scoring

A basic scoring system was developed to tally across responses and provide an ordinal resilence score for each of the four categories. An example resilience scorecard for the

procedures category is presented in Figure 6. Total points possible are broken into three levels to provide a general assessment of low/moderate/high human-system resilience. Individual category scores can then be combined to provide an overall human-system resilience score, as shown in Figure 7.

Figure 6. Procedure Resilience Scorecard

(6)

This simple scoring system was developed so as not to imply any unwarranted precision in quantifying certain responses or categories over others. The notion here is that the checklist provides an indication of areas where a system under consideration does or does not have resilient characteristics, and a basis of comparison among design alternatives, or across different points in system development for a particular design, to determine if the design of a system is improving over time from a resilience perspective.

Conclusions

In an effort to assess the resilience potential of a system, we worked with subject matter experts to create a human-system resilience checklist that can be utilized during IOAs of air traffic control systems as part of the system acquisition process. The checklist and scoring method presented here have yet to be validated, but application of the revised checklist during upcoming IOA testing may provide initial validation and feedback about the utility of the checklist approach for assessing human-system resilience.

Acknowledgements

This material is based upon work supported by the Federal Aviation Administration under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Government or the Federal Aviation Administration.

References

Federal Aviation Administration (2016). Performance Based Navigation NAS Navigation Strategy 2016. US Department of Transportation.

Hollnagel, E., Woods, D. D., & Leveson, N. (2006). Resilience Engineering: Concepts and Precepts. Aldershot, UK: Ashgate, 2006.

Reason, J. (2000). Reducing human error through safety management practices. Presented at The

14th Annual FAA/CAA/Transport Canada Human Factors in Aviation Maintenance

Symposium. Vancouver, Canada. Retrieved from:

http://www.faa.gov/about/initiatives/maintenance_hf/library/documents/media/mx_faa_(f ormerly_hfskyway)/strategic_program_plan_(1998)/14th_symposium/reducing_human_e rror_through_safety_management_practices.pdf

Sheridan, T. (2008) Risk, human error, and system resilience: Fundamental ideas. Human Factors, 50, 418-426. doi: 10.1518/001872008X250773

Yenson, S. K., Phillips, S., Davis, A., & Won, J. (2015). Exploring human-system resilience in air traffic management technologies. Presented at the 2015 IEEE/AIAA 34th Digital

Cytaty

Pobierz teraz ( PDF - 6 Stron - 1.52 MB )

Powiązane dokumenty

The International Human Rights System

• Treaty bodies do the same with respect to the obligations of state parties under each of the core international human rights treaties.... Work

Wąskie, szerokie i rozszerzone rozumienie subiektywności w zagadnieniu świadomości

Jeśli rzeczywiście subiektywność ontologiczna jest podstawową cechą całej świadomości, to wszelkie świadome myśle- nie czy sądzenie jest subiektywne, czyli

Przyrodniczo-teologiczna problematyka początków człowieka

wyzwanie. Rezultat badań był dwojaki. Z jednej strony przypomniano wszystkim, że motywem wiodącym w Księdze Rodzaju jest powsze­ chność grzechu pierworodnego i z nim

Początki bibljografji polskiej

Mimo tak niepomyślnych losów, jakie stały się udziałem prac bibljograficznych Załuskiego, musimy przyznać im w dzie­ jach naszej bibljografji wielkie znaczenie:

Development of mass spectrometry based human cell secretome analytics: The T-lymphocyte as a model system

Human body fluids, especially blood plasma and serum, serve as the most important and readily available sourees for discovering candidate disease biomarkers. However, the de- tection

Decreased pain and improved dynamic knee instability mediate the beneficial effect of wearing a soft knee brace on activity limitations in patients with knee osteoarthritis

For the comparison between wearing the brace and not wearing the brace, both decrease in pain (NRS) and reduction of dynamic knee instability mediated the effect of wearing a

When the State is Shirking : Informal Solutions for Social Services Provision in Altai Villages

The article is based on the fieldwork conducted in Altai Krai in 2013 when qualitative data (informal interviews, group discussions, observations) were collected by the author and

The human balance system and gender

The gender of young healthy individuals without any clinical symptoms of balance disorders also does not affect the effectiveness of the sensory system and the use of this signal